Säkerhetsbulletin från Debian

DSA-177-1 pam -- grav säkerhetsöverträdelse

Rapporterat den:

2002-10-17

Berörda paket:

pam

Sårbara:

Referenser i säkerhetsdatabaser:

I Mitres CVE-förteckning: CVE-2002-1227.

Ytterligare information:

En allvarlig säkerhetsöverträdelse upptäcktes i PAM. Inaktiverade lösenord (dvs. de med ”*” lösenordsfilen) klassificerades som tomma lösenord och tillgång till dessa konton gavs via den vanliga inloggningsproceduren (getty, telnet, ssh). Detta fungerar för alla konton av den typen vars skalfält i lösenordsfilen inte anger /bin/false. Endast version 0.76 av PAM verkar vara berört av detta problem.

Detta problem har rättats i version 0.76-6 för den nuvarande instabila utgåvan (Sid). Varken den stabila utgåvan (Woody), den gamla stabila utgåvan (Potato) eller testningsutgåvan (Sarge) berörs av detta problem.

I Debians säkerhetsgrupps frågor och svar-dokument står det att uttestningsutgåvan och den instabila utgåvan är mål som rör sig fort och att säkerhetsgruppen inte har de resurser som behövs för att ge dessa ett fullgott stöd. Denna säkerhetsbulletin är ett undantag från den regeln, på grund av problemets allvarlighetsgrad.

Vi rekommenderar att ni uppgraderar era PAM-paket omedelbart om ni kör den instabila utgåvan av Debian.

Rättat i:

Debian GNU/Linux unstable (sid)

Källkod:: http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc; http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz; http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz
Arkitekturoberoende komponent:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
Alpha:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb
ARM:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb
Intel IA-32:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb
Intel IA-64:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_ia64.deb
HP Precision:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_hppa.deb
Motorola 680x0:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_m68k.deb
Big endian MIPS:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mips.deb
Little endian MIPS:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mipsel.deb
PowerPC:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_powerpc.deb
IBM S/390:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_s390.deb
Sun Sparc:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.